Maven Artefacts - Why PGP signatures and md5/sha1 hashes?

Question

Why does the repo require both pgp signatures and MD5/SHA1 hashes? Shouldn't the pgp signature be enough?

On the maven central repository, for each artefact there is a:

1. .asc file - corresponding to a pgp signature for that artefact.
2. .md5 file - containing the MD5 digest of the artefact.
3. .sha1 file - containing the SHA1 digest of the artefact.
4. .asc.md5 file
5. .asc.sha1 file.

As an example, you can check this publication: https://repo1.maven.org/maven2/org/typelevel/cats-core_2.13/2.4.1/
I am not really sure what files .asc.md5 and .asc.sha1 represent. Are these the digests encrypted with the private key of the signature?

My reasoning is as follows:

1. I understand the value of the MD5 and SHA1 digests. It allows you to check if the artefact that you have downloaded is not corrupted. You do this by computing the digest yourself (of the downloaded artefact) and comparing it with corresponding public digest.
2. I appreciate also that this does not guarantee the authenticity of the artefact. As someone "in-the-middle" could be feeding you a duped artefact and a corresponding duped .md5 and .sha1 files. I understand also that https on maven central does not solve this, as for example you could be accessing it through a proxy.
3. My understanding is that pgp signatures solves the issue above by the following mechanism

Creator of the artefact
PGP(original-artefact, privateKey) = .asc file
Where, as I understand it, the .asc file is the signature. Which is basically a digest of the artefact which is then encrypted using the private key, and added with some meta information, namely the hash algorithm.

MavenClient
PGP(downloaded-artefact, publicKey, .asc file)

1. Compute digest of he downloaded artefact using the same hash function used to compute the digest on the signature. This is, I assume, stored as metadata on the signature itself (.asc file).
2. Decrypt the digest contained within the signature using the public key.
3. Compare the digest in steps 1 and 2.

Therefore, I would say, that if the digests match then we verified the authenticity of the artefact, but we also verified that it has not been corrupted. Otherwise the digest would be different. Right?

Then this begs the question. Why do we need the extra .md5 and .sha1 files?

As a bonus question. Why isn't the public key required to be stored on maven as well? Wouldn't this make things clearer? As it stands, you don't have all the required files/data to verify authenticity. You have to pick up the public key from a pgp server.

So, to summarize, I have the following 3 questions:

1. Why does maven central require both pgp signature of the artefacts and also md5/sha1 hashes? Why isn't pgp signature enough?
2. What do files .asc.md5 and .asc.sha1 represent?
3. Why isn't the public key stored alongside everything else?

Answer 1

https://maven.apache.org/repository/guide-central-repository-upload.html

Quoting the guide above for (1):

To improve the quality of the Central Repository, we require you to provide PGP signatures for all your artifacts (all files except checksums).

As I understand, any artifact such as a JAR, ZIP, TAR, and more must be signed. Checksums such as md5 or sha1 do not need to be signed.

(2) They are the signed checksums. For Gradle specifically, the Signing plugin signs all outputs. So for example, a MavenPublication outputs typically a POM and JAR artifact. When the signing plugin is instructed to sign the publication, then it generates checksum files and signs them for each artifact.

Note that you can disable some checksums: https://docs.gradle.org/6.0.1/release-notes.html#publication-of-sha256-and-sha512-checksums

(3) It's unusual to publish your public key to a Maven repository. Although I don't believe anything is stopping you. Although since it would be treated as any artifact, you would need to sign it...which doesn't make sense.